热门标签
热门文章
- 1最拼命最努力的时候(转)
- 2Mac上Angular的环境搭建_mac angular
- 3看懂这篇文章,前后端分离再和面试官扯皮就没问题了_前后端需要两个端口吗
- 4自学编程80余年,这些私藏的实用工具&学习网站陪我走到了现在,必须收藏,学习效率翻倍 - 网站篇_03024百万文字综合论坛
- 5org.apache.hadoop.hbase.PleaseHoldException: Master is initializing(解決方案汇总+自己摸索)
- 6linux网络编程-很全的_linux下的网络编程
- 7python 将文件夹里多个json文件合并成一个_python合并json文件
- 8Git使用记录_fatal: unable to access目标地址
- 9笔记:ubuntu22.04重启后无法启动网络_stopping systemd-networkd.service
- 10Kafka常用操作命令_查看kafka某个主题
当前位置: article > 正文
faillock与ldap策略共存问题_fail lock
作者:很楠不爱3 | 2024-05-01 06:10:45
赞
踩
fail lock
问题背景
遇到了密码策略的问题。
其中一项是设置用户连续三次登录失败后,锁定用户一个小时。
于是,使用faillock模块在/etc/pam.d/system-auth和/etc/pam.d/password-auth中完成了设置。
但是在生产环境中,是使用了ldap认证的,其内已经有了相关的密码策略,使用ldap账号登录机器失败时,会被锁定,属性是pwdAccountLockedTime。
但是如果有的场景,又会使用本地用户呢?
所以就需要配置faillock与ldap一同工作。
解决
注意,当安装authconfig工具后,/etc/pam.d/system-auth是指向/etc/pam.d/system-auth-ac的一个软链接。
CentOS7 解决
- 保证系统中的
system-auth和password-auth是干净的初始化状态 - 使用
authconfig工具,先进行一次原始备份,防止改得面目全非时,可以回滚authconfig --savebackup=system_raw.bak
- 使用
authconfig工具同时开启ldap和faillock
[root@nano-kvm-13 pam.d]# authconfig --enablemkhomedir --enableldap --enableldapauth --ldapserver=ldap://10.6.38.254 --ldapbasedn="dc=biyao,dc=com" --enableshadow --enablefaillock --faillockargs="preauth silent audit deny=3 unlock_time=3600" --update
- 1
- 2
- 再手动修改一下
system-auth文件 ,否则faillock不生效
system-auth文件
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent preauth silent audit deny=3 unlock_time=3600 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so use_first_pass #auth required pam_faillock.so authfail preauth silent audit deny=3 unlock_time=3600 这一行改成下面的样子 auth required pam_faillock.so authfail audit deny=3 unlock_time=3600 auth required pam_deny.so account required pam_faillock.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
password-auth文件
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent preauth silent audit deny=3 unlock_time=3600 auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail audit deny=3 unlock_time=3600 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_faillock.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
CentOS6
CentOS6上authconfig没有faillock的选项。
# 先移除这个,再安装nss-pam-ldapd, openldap-clients
[root@biyaotest pam.d]# yum remove sssd
[root@biyaotest pam.d]# authconfig --enablemkhomedir --enableldap --enableldapauth --ldapserver=ldap://10.6.38.254 --ldapbasedn="dc=biyao,dc=com" --enableshadow --disableldaptls --disableldapstarttls --disablesssd --disablesssdauth --update
Starting nslcd: [ OK ]
Starting oddjobd: [ OK ]
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 手动添加
faillock的配置项
system-auth文件
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth required pam_faillock.so preauth silent preauth silent audit deny=3 unlock_time=3600 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_faillock.so authfail audit deny=3 unlock_time=3600 auth required pam_deny.so account required pam_faillock.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
password-auth文件
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faillock.so preauth silent preauth silent audit deny=3 unlock_time=3600 auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail audit deny=3 unlock_time=3600 auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_faillock.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
效果
- 本地用户和ldap用户登录失败都会被faillock记录。
- 本地用户登录失败后,faillock --reset 即可使用正确密码重新登录
- ldap用户登录失败后,会同时被 faillock 和 ldap 共同锁定,
- 这时,faillock --reset 之后,使用正确密码登录,因为ldap中没有解除,仍然会失败,faillock仍然会记录
- 需要在两边共同解锁
参考
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel : CHAPTER 1. CONFIGURING USER AUTHENTICATION USING AUTHSELECT
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/很楠不爱3/article/detail/517422
推荐阅读
相关标签
